When it comes to trying to improve the security of websites, one of the problems that we see is that while many people are still not taking basic security measures with their websites there are plenty of companies pushing additional security products and services. In some cases we have seen that the inflated claims of some of those products and services lead people to not take basic measures, since those products and services claim that they will prevent them from being hacked, and because they haven’t taken the basics security measures they end up getting hacked. While we do don’t have much evidence, we are concerned that other people don’t take basic security steps since keeping seems so daunting when they are told they need to being using all of these different products and services to keep their website secure.
A question that underlies this is if these companies actually are all that concerned about security or if they just trying to make a quick buck peddling products and services whose security implications they have little understanding. One way quick check to get an idea of their concern for security is to see if they are keeping the software running their own websites up to date. The results we have seen in the past haven’t been good, like the time we found that all of the companies we looked that were advertising to clean up hacked Joomla websites were all running outdated software (mostly Joomla). This time around we happen to run across the website of a company name Centrora Security, you can see from the results of a Chrome extension we make that they are not keeping the WordPress installation running their website up to date:
Not only have they not updated it for ever over a year and not updated it for the two most recent major versions, 4.1 and 4.2, but they have missed three security updates for 4.0.x series: 4.0.2, 4.0.4, and 4.0.5. Since WordPress 3.7, minor version updates like those security updates would normally be applied automatically, so either Centrora Security unwisely disabled that feature or some bug is stopping that from happening in their case. If it is the later then Centrora Security could actually help to improve the security of WordPress websites by working the WordPress developers to resolve that, so that others impacted by the issue could also start getting updates.
While they don’t take the basic step of keeping WordPress up to date, they produce a WordPress security plugin that they claim is the “MOST POWERFUL WORDPRESS SECURITY PLUGIN”. Probably not all that surprisingly they are not running the latest version of their own plugin on the website (the readme.txt for the plugin on the websites is from version 4.8.4), even though keeping WordPress plugin update to date is also an important security measures.